On January 6, 2021, the proposed Biometric Privacy Act (the “Act”) was introduced to the New York State legislature.  If adopted as drafted, the Act will require:

  • Any private entity that “possesses”¹ any biometric identifiers and/or information² (or “biometric data”) must have a written policy, publicly available³, establishing its retention and destruction schedule, as well as a secure means of destroying the data on the sooner of (i) when no longer needed for its original purpose of collection or (ii) after three years from the private entity’s interaction with the person providing the data.
  • A private entity cannot acquire, collect, trade, store, purchase or capture biometric data, whether from the person themselves or a third party unless the entity first:
    • Informs the subject that their data is being so collected, stored, captured, purchased and/or traded
    • Informs the subject of the underlying legal purpose the data is being collected, stored and/or used
    • Receives a written release4 from the person or their legal representative.

To be clear, this will apply whether the data is collected from an employee (consider a biometric time clock) or a customer (think thumb prints used at amusement parks and to unlock devices).

Further, the draft legislation proscribes Continue Reading First, There Was The New York Shield Act, and Now… The New York Biometric Privacy Act?

Earlier this month, we learned that the SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1*, released between March 2020 and June 2020, were compromised by an advanced persistent threat actor (or APT).  The perpetrators of this sophisticated attack implanted a Trojan into a legitimate update to the Orion Platform that was released in March.  Once the Trojan was activated, it allowed the threat actor to not only have high level credentials into the Orion Platform, but to potentially move across other areas of the compromised target’s network and systems.

Until recently, the SolarWinds’ site listed representative clients, including such companies as CISCO, AT&T, Ford Motor Company and all five top US accounting firms, to name a few.  Its federal (government) clients include all five branches of the US Military, the US Pentagon, State Department, the Treasury Department, NASA, and NSA.  Many local governments also use SolarWinds’ products.

If a firm was using the impacted SolarWinds Orion platform, that does not necessarily mean that the malware had been activated.  DHS and CISA both recommend that businesses concerned that they may have been impacted should:

  • Mirror impacted systems to preserve forensic data for further investigation
  • Deactivate the platform
  • Retain the services of a firm with expertise in cyberthreat hunting to actively look for anomalies in the business’ systems and networks
  • Change all passwords and account credentials
  • Implement multifactor authentication
  • For firms currently using 128-bit encryption, upgrade to 256-bit encryption
  • To the extent that the Orion Platform was part of an entity’s cyber risk management strategy, alternative processes and procedures should be implemented.

It is important to follow specific steps in working to investigate, eradicate and rebuild/restore impacted systems.

Please see the CISA website for the most up to date guidance and information.  As of, December 23, 2020, this link provides the most up-to-date information from CISA:  Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations | CISA

While SolarWinds released two hot patches the week of December 14, 2020, as of the day of this writing, DHS and CISA continue to recommend  that firms exercise caution in applying the patches and restoring or continuing to run the Orion Platform.  Note also that FireEye released a kill switch that was reported to stop the continued attack.  However, impacted entities will have a long road to restore impacted systems and determine what was already compromised.

However, over this past weekend, a further vulnerability in SolarWinds’ Orion product was reported by Carnegie Mellon.  The report indicated that the Orion API authentication bypass can allow a hacker to remotely execute commands.  While there is a patch available to address this, we recommend caution still as further vulnerabilities in the product may come to light in the coming weeks.

Rumors were circulating last week that Microsoft’s cloud environment had been compromised, too, as a result of the Orion Trojan.  CISA and DHS explained in a briefing on Friday, December 18, 2020, that Microsoft Cloud was not compromised.  However, the Trojan hidden in the Orion March 2020 upgrade allowed the bad actors to steal credentials to impacted entities’ other accounts – including Microsoft Cloud access credentials.  With the legitimate (stolen) credentials, the bad actors were able to access data in entities’ Microsoft cloud accounts.

Potentially impacted firms are advised to examine their active directories in their Microsoft account for anomalous activity.

Business emails of high level officials and roles within an organization have been observed as particular targets of the APT.  As such, refresher training of personnel to heighten awareness of business email compromises are in order.

Even if your entity was not running one of the impacted products, check with key vendors to ascertain whether they were impacted.  If so, either their access to your systems may have been compromised and/or their ability to provide their services to your organization may be impacted.

If you have questions regarding the foregoing, or would like referrals to additional resources, please contact your attorney or the author of this blog post, Michelle A. Schaap of Chiesa Shahinian & Giantomasi PC.

*Impacted Products:

  • Orion Platform 2019.4 HF5, version 2019.4.5200.9083
  • Orion Platform 2020.2 RC1, version 2020.2.100.12219
  • Orion Platform 2020.2 RC2, version 2020.2.5200.12394
  • Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432

For those businesses located in the State of New Jersey, the state does not (yet) have proactive legislation in place requiring businesses to take “reasonable” measures to protect personal information of residents.  However, if you have customers and/or personnel from outside the State, you may already be subject to the proactive legislation requirements of other jurisdictions.

Last year, we shared information regarding the New York SHIELD Act, which now requires any business that receives, collects, stores, processes and otherwise manages personal information regarding New York residents to take proactive, reasonable measures to secure that information.  If a business fails to take such measures, and the data at issue is subsequently breached, the company can face harsh fines.  Moreover, if the same company had posted on its website that it took reasonable measures to secure customers’ data, but failed to meet the standards of the NY SHIELD Act, this could also be charged federally as a violation of the Federal Trade Commission Act as a deceptive trade practice.  Remember also that under the NY SHIELD Act, the mere access (without exfiltration, alteration or removal) of personal information is a reportable breach if that data is not encrypted.

Now, Massachusetts’ Attorney General has indicated that it, too, will be pursuing companies that fail to comply with Massachusetts’ law (which has been in effect since 2010).  This law requires businesses that collect, store, process and otherwise manage personal information regarding Massachusetts residents to have a WISP or written information security program.  Of course, having a program that is followed in the exception does not equate to compliance.

At present, only the California legislature has given individuals a statutory private cause of action if a business fails to take “reasonable” measures to protect residents’ personal information and that information is then compromised.  As seen in the Dittman case in Pennsylvania, however, courts have found that a cyber breach is a “foreseeable” risk, and even absent proactive legislation impacting your business, if you have not taken measures to prevent this foreseeable risk, you can be held liable when the “if” becomes when and that data is breached.

Being proactive may not prevent a breach, but it will help to protect your business from fines and private litigation.

Please contact your attorney when you are ready to take this important step to protect information regarding your business, its employees and customers.

On October 29, 2020, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the U.S. Department of Health and Human Services (HHS) warned of an increased, imminent threat to U.S. hospitals and healthcare providers. The agencies have credible information that malicious cyber actors are targeting the healthcare and public health sectors with malware such as Ryuk, Conti, TrickBot and BazarLoader. Use of this malware can result in ransomware attacks, disruption of healthcare services and data theft. The joint CISA, FBI and HHS alert (AA20-302A) can be found here. The alert references a joint CISA MS-ISAC ransomware guide with best practices that can be found here.

We urge our healthcare and public sector clients to increase protective measures to prevent ransomware attacks, such as alerting employees to be vigilant with respect to phishing attempts and ensuring software and operating systems are patched and updated. Additional steps include: regularly backing up systems and data; ensuring passwords are robust and changed periodically; minimizing access so that personnel credentials only allow each employee to access information related to his/her/their duties; and with remotely working personnel and outside resources, making sure your points of contact are current. It is also a good time, if clients have not done so already, to establish or reassess your entity’s cyber incident response plan.

Attorneys at CSG are available to assist with your cybersecurity needs, to train personnel, prepare and update incident response plans, and help you appropriately respond to a ransomware attack or other security incident, should one occur.

On August 30, 2020, the California Legislature passed AB-1281 which, if signed by Governor Newsom, will extend two key exemptions to the California Consumer Privacy Act (the “CCPA”) until January 1, 2022.  The extension of these exemptions, which will otherwise expire on January 1, 2021 without legislative or voter action, will come as welcome news to businesses as they continue to implement CCPA-compliant policies and procedures.

The two exemptions are the “employee” exemption and the “business-to-business” (“B2B”) exemption:

  • The employee exemption provides that personal information collected by a business in the employment context is mostly exempt from the CCPA provided that it is used (1) in the course of an individual’s employment, (2) to maintain an emergency contact on file, or (3) to administer benefits to another person.
  • Under the B2B exemption, personal information reflected in communications between businesses is largely exempt from the CCPA if the consumer is acting on behalf of a business and is conducting due diligence or providing or receiving a product or service.

The California Privacy Act Rights Act (“CPARA”), if approved by California voters in November, will supersede AB-1281’s extensions.  The CPARA, however, would in fact further extend these exemptions until January 1, 2023.

For more information as to the extent of these exemptions, CCPA generally, and other states’ privacy laws, please contact us.

CSG/LIFARS webinar_Cybersecurity and Data Protection Best Practices Amid COVID-19

CSG’s Michelle A. Schaap will join Ondrej Krehel, CEO and Founder of LIFARS, LLC, and Roota Almeida, CISO with Delta Dental of New Jersey and Connecticut, on Wednesday, July 29, from 3:00 – 3:45 PM EDT for a virtual discussion around strategy and best practices in the face of the current escalated legal and cyber threat landscape.

The program entitled, “Giving Diligence its Due: Timeless Strategies for Surviving Change,” will cover a range of topics including:

  • The impact of an increasingly remote workforce on compliance policies and procedures
  • The value of implementing written data protection procedures
  • How to prepare for due diligence questionnaires
  • Cybersecurity frameworks to help ensure compliance with current regulations

To register for this program, please visit the event website.

Today, July 16, 2020, the Court of Justice1 invalidated Privacy Shield as a means to self-certify that a business is securely and appropriately protecting personal data when transferring such data from the EU to the United States. In part, the Court found that the Privacy Shield did not adequately ensure individuals’ audit rights or appropriate recourse, and therefore, the Court invalidated Privacy Shield, effective immediately. There is no grace period

This same court invalidated the Safe Harbor in 2015, and Privacy Shield then replaced that Safe Harbor.

This ruling impacts more than 5,000 companies that incurred the time and expense to self-certify under Privacy Shield. Continue Reading No More Safe Harbor… Take Two: Immediate Invalidation of Privacy Shield

The FBI issued an alert warning of an attack targeting e-commerce websites.  The bad actors are embedding code directly into the e-commerce site to then skim account information.

The notice, found here, provides the details of this attack.

As always, the best defense against this and other cyberattacks is to have layers of defenses and proactive policies and procedures in place, including:

  • Patching systems, including operating systems, software and third party-sourced code
    • Patching systems includes ensuring that your remote work force is keeping their devices touching the company’s environment patched, too
  • Keep anti-virus and anti-malware up to date
    • Remote staff members should be accessing the company’s environment through a secure VPN
  • Disable extensions and functions within your site that are not being used

Also, remember that less is more:  If you have inactive accounts, consider removing these from your live, connected and operating environments and, instead, retain that data only in off-line archives.  Further, review your data destruction policies, and delete old and/or superseded account information.

Other best practices for e-retailers include:

  • Remind customers to use robust passwords
  • Direct customers to not use the same password for multiple accounts
  • Remind remotely working employees to not use the same device for work access as family members use to game, visit school sites and/or visit other e-commerce sites

Be alert, be aware and be secure.

You are in a fantasy football league registered under your email and your password.  Unbeknownst to you, however, the leagues site has been breached, and access credentials have been stolen.  The site discovers the breach, investigates the breach, and gives notice to impacted individuals.

If you are lucky, the time frame from when the original breach occurred and when you receive notice is 60 days;  more likely it will be a longer time frame – potentially 18 months or longer.  In the meantime, because you reuse your password for multiple accounts, the bad actor that compromised the fantasy league site has already used your password to access your Gmail or AOL account, reset your password, and has logged into your bank account and drained your funds.

Sound like a bad made-for-TV movie or detective show episode?

Sadly, the scenario outlined above is true and happened to a gentleman in Texas, and was shared during a recent InfraGard¹ webinar. Continue Reading The Life of a Data Breach: The “Gift” That Keeps on Giving

The “kill chain” is a phrase that refers to the FBI’s ability to interrupt or kill the miswiring and loss of funds.

This is an extremely powerful resource given that cyber criminals have been targeting entities that use Microsoft Office 365 and Google G Suite to perpetuate business email compromise (BEC) scams.  The “phish kits” used for this particular attack enables the bad actor to mimic the otherwise legitimate cloud based email to compromise accounts and lure victims into sending or misdirecting funds. This scam has been used over the past 5 years by cyber criminals targeting Microsoft 365 and Google G Suite to steal more than $2.1 billion dollars.

If any of your clients are fooled by a spoofed email, phish or link and miswire funds, if they notify the FBI within 48 hours (sometimes as long as 72 hours, but the sooner the better chance of success) there is a strong probability (not guaranteed) that the FBI can recapture some, if not all, of the funds, but the party that sent the funds must alert the FBI within this window for any chance of success.

We do recommend that impacted companies make contact through our office so that we can be certain information gets to the right agents at the FBI ASAP.

While we always recommend a strong defensive posture – including training of personnel, processes for approval and verification of any requested wiring of funds, and other appropriate measures – even with vigilant personnel, good people are being fooled.

Please contact us to discuss training for your personnel, developing, reviewing and/or improving your processes, and to make introductions for you with your local FBI agents before you need to call them to activate the kill chain.